Slashdot Mirror
SANS/FBI Release Top 20 Security Vulnerabilities
theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.
Should this even be competitive?
IIS!!
Not any particular 'sploit, but on the page, IIS is THE NUMBER ONE vulnerability for Windows boxen.
Like Mr. Valentine said, "[Microsoft's] products are not engineered for security". Or something like that.
--j
It's a perfect split, 50/50 (or 10 and 10). I hope this settles the "which OS is more secure" debate once and for all.
Like I've been saying, they're exactly the same.
-- Ignorance is Bliss.
Security Problems Under windows: Type something and it frigs up yo$%@@FJAKSD&*F(A(
in girum imus nocte et consumimur igni
#8 is listed here.
If you are using IE, your computer is vunerable to numerous security breaches.
If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).
And if memory serves, the Unix list is exactly the same, with perhaps the exception of Apache. The r* services, sendmail, yep, all still there. Who in their right mind uses r* and sendmail on anything connected to the public internet?
Anyone correct me on whether the others have changed? They all look familiar to me.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
...is Apache listed as #2 under UNIX? It's not exactly bug-rittled doom-ware like IIS. A few mistakes every now and then hardly qualifies for a #2 rateing. it's not like, 50 new exploits are found a month or something. and as for RPC at #1...you get what you ask for.
Interesting that all but one of the UNIX probs can also be traced to Windows. Apcahe runs on on Unix and Windows. FTP, RPC etc etc
Looks like the FBI is clueless, jeez why do they even bother. Must have been some grant money available they wanted.
It's simple there are more windows boxen on the net ergo they have more problems. I _believe_ that unix is more secure but I'm not going to bet on it.
Great, now n00bs hackers will know the top 20 exploits and will of course abuse those in the top-5.
They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.
But they seem to have really had to reach to get 10 for Unix.
Man... how much did this 'study' cost?
I think every user having the equivalent of "root" by default is probably far worse.
This sig is xenon coated, and will glow red when in the presence of aliens
They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.
If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...
--
http://www.aikiweb.com - AikiWeb Aikido Information
At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistake
This seems like a really bad idea. Giving people a list of port they should block traffic to implies that they needn't properly lock down their rulesets properly, andd have accept as the default policy.
Plus, you don't even need to spend on AV software from snake oil vendors.
All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.
Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).
Free Clue: if you didn't get in on the first 2000 tries, go waste someone else's bandwidth!
take a look
http://www.sans.org/top20/top20_Oct01.htm is the list from 2001
http://www.sans.org/topten.htm is the list from 2000
The SANS have been doing this for years, this is just the updated version of it. Come on slashdot, do at least a little fact checking.
I think they made a mistake. The #1 security vulnerability is Windows itself. Running Windows is really what puts people at risk unless perhaps they close their computers to the oiutside world, i.e. no internet, and install no software on them.
Version number hiding is not the way to go. And let me explain why: Nimda / Code Red. ISS only. Certain versions of ISS only. And do you think that the virus checks for the HTTP Server-string before it sends it payload? No way. Brute force. Just send the exploit and check later if it was successfull. I have the logs of my Apache webservers to show this behaviour.
Same with the bugbear[sp] worm at this moment. "Check all the shares on the system. Found one! Let's copy to there." Zwoooosh there goes another sheet of paper through the printer.
For administrative purposes, being able to find out what version of software is running is essential. In a company with tens of locations and thousands of computers, nobody will be able to keep a list of software installed on all these things, let alone keep track of the versions.
A weekly scan by the corperate IT department and they know what MTAs and versions are there, what FTP servers and version, what DNS servers and versions are there. An update is released? Just inform the right people (i.e. the LAN administrators, not the people who own these servers). An exploit has become known? At least you know how vulnerable you are instead of panicing and trying to get (obsolete) lists from all over the place.
So yeah, version number hiding doesn't reduce the attackrate but does reduce the ability to act.
bash$
I thought it was kind of amusing, the list being broken up into 2 catagories. Without a doubt, the highest number of vunerabilities are on the Windows side, especially in IE and VBScript. But lets not forget that Apache isnt immune either.. and for that matter, who can forget the infamous sendmail vunerability, and also dont forget misconfigured sendmails from our friends in the East are what allow so many of those cute spam messages we all love so much to get to us. And hell, I can remember stealing password lists with a nice PHP vunerability for years (goes to show that once you get used to an attack, you stick with it).luckily with IDS systems like Snort (http://www.snort.org) companie can monitor attacks as they happen (be sure to compare the size of the Web-Vunerabilities and Virus Rules files with the others...). But either way, the higher count is definitly on the Windows side.
Not only is Apache very widely deployed, it is also quite easy to misconfigure it. If you read the article, they're not talking about software insecurities alone: they're talking about misconfiguration and bad management of machines. For example, weak/non-existant passwords is on both lists.
They're not saying that Apache is insecure but rather that it is a potential risk if the admin is not sufficiently competent.
In Soviet Russia, hot grits put YOU down THEIR pants.
A bit of highlighting that they ignored this article since 8am and it gets knocked down as off topic to a -1 where nobody will see it. /. doesn't seem to have a problem with highlighting other org's problems, but their own get censored big time and fast...BIG POINTS LOST ON CREDIBILTY HERE!
I have to disagree with their evaluation of item W10, Windows Scripting Host. They're essentially blaming it for improper use by mail clients (I never heard of anything other than Outlook or Outlook Express having problems with .vbs scripts run through WSH -- Word macros, while VB, are not VBScript, and don't go through WSH. IE embeds vbscript and jscript, again not through WSH, so while I guess you could download a .vbs, you'd have to be a moron to tell it to run automatically). Sure, they do include the line, "While administrators should always keep applications like browsers, mail clients and productivity suites patched and updated, patching these applications to eliminate their susceptibility to a particular worm is an incomplete (and no better than reactive) solution to the risks posed by scripting," but that's paramount to suggesting all scripting is bad. Would it be bash's fault if mutt auto-ran .sh extensions? Or would it be perl's fault if mutt did the same thing with .pl extensions? No, it wouldn't, so to fault WSH for Outlook/OE problems is pretty ludicrous.
WSH is a very useful tool when used properly, just as bash or perl are very useful when used properly. Misuse by one or several applications does not mean the tool itself is at fault. A better thing to blame would be running as administrator (in NT-based Windows systems) full-time, rather than as a non-admin user. Again, this is directly parallel to running as root 24/7 in a unix system. You wouldn't do it there, so why do it in Windows? (Win9x is dead, let it rest in peace.)
the "Slashdot Effect" DOS did not make the top 20.
Never answer an anonymous letter. - Yogi Berra
I think this is good that they are getting the word out. Since this is SANS and the FBI working on it, maybe crappy admins will take these issues more seriously. *MAYBE*
Misconfigured webservers. Formail.pl, things run using suexec, and other problems are the #1 way to get into a system using a webserver. Chunked encoding and OpenSSL are just core problems, the fact is that most people don't know how to configure it at all.
Obviously there is a large enough portion to support spammers, otherwise I'd not be getting so many requests for formail.pl in my logs (always set to email from some aol.com email address, most recently f2@aol.com, and sending to another fake address, most recently phishtank@yahoo.com, with a subject of my server name and a body of "w00t").
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Do you have a full list of those extensions, or do I need to dig through the "File Types" list?
Boobies never hurt anyone. - Sherry Glaser.
Looks to me like the ran out of ones to include in the unix list and decided they wanted to be fair to the poor windows people and add weak passwords as a security vulnerability.
What we need is a greater knee-jerk reaction. A few months ago I got rid of WSH using "format c: /q /u". Now running OSX on new iMac, and old PC is a lovely Linux firewall. I think the top 10 Windows problems might not bother me now. ;)
Top 10 Windows Vulnerabilities:
1. Windows
2. Windows
3. Windows
4. Windows
5. Windows
6. Windows
7. Windows
8. Windows
9. Windows
10. Windows
Table-ized A.I.
The user. Windows OR Unix.
What's in a Sig?
There's a Wired Article that explains the list a little bit more in case security is not your forte.
Would this be the same SANS group of idiots that consistently had their DNS hijacked to point to a porn site? Looks like it...
What I found most interesting about the article was that they presented what is a pretty good argument for security through obscurity (as a way to augment security, not as the only means of course). The following is from their list of ways to secure apache:
# Modify the default Apache HTTP Response token. This will allow your Apache server to return false information in its response header, which helps hide the web server's software. While this technique will not prevent a determined attacker from discovering your software, it can greatly protect your Apache web server from worms which trigger their attack code based on the information returned from headers. Please see the Security Focus discussion on how this can deter the Apache/mod_ssl Worm described in CERT Advisory CA-2002-27.
We spend enough time bashing the concept here, but with all the worms out there it might be time to start taking it more seriously.
They're all security holes, if they aren't patched. Very few of the things that they listed aren't completely patchable (yes, including IIS). Keep up with the patches, and don't do stupid things, and you'll be fine.
Since nothing from mac os 9 and under, does that mean it's the most secure? hehe.
On a serious note, I doubt that many Windows admins are going to go through this trouble. Nimda was a good example. As they say, you can lead a horse to water...
IF take comen Sanse and devide by say varible FBI you get useless 20....
Who controls the information, controls the world...
Top Vulnerabilities to Windows Systems
1. Internet Information Services (IIS)
2. Microsoft Data Access Components (MDAC) - Remote Data Services
3. Microsoft SQL Server
4. NETBIOS - unprotected Windows Networking Shares
I removed all the listed vulnerabilities and now my users are complaining that our web site is down, they can't access the intranet or any of our file servers and can't get data from our database server.
What can I do to ensure you never say 'sploit again?
sooo geeks and geekets how many of you bragging pissy ass geeks have actually closed up these vulnerabilities. its fun to poke at other peoples systems. but if you actually are an administrator have you actually fixed them. how about training users and setting up stong password filters. are your houses made of glass. /. ers
lets take a pole here
how many of you have actually inplemented this.
i hade to sa it but when i admined 1000 win2k boxen windows update was my best friend. wheres the unix analoug.
but then again i got a mac and a bunch of them too. no leaks there he he.
*ingrains head into table* Insightful?? Not Funny?? Bah. I won't complain.
--j
sort of ironic that something called the "secure shell" is listed as #3 on the FBI's top Unix vulnerability. I did sort of find it interesting that Apache actually listed higher than FTP (wu especially), and sendmail. It strikes me as sort of unfair concluding that Apache is insecure do to CGI, which really Apache can't help you with. If you use/write insecure CGI scripts, you're server is insecure, but that is hardly the fault of Apache more than it is of perl if you don't use warnings and taint mode.
Risking being flamed here, but if you're going to point out that IIS is #1 for windows, you should also point out that the number two vulnerability for nix systems according to this article is Apache.
There is an very easy solution to eliminate the top 10 problems. Stop using all microsoft applications and plateforms.
Just my $.02.
NO! NO! Please don't mod me, I'm too young to die a troll. *click* Oh the pain, the pain...
no macintoshes mentioned . and the software update was all over the shell vulnerability issue last week. ya want secure get a mac.
ha ha ha ha
did anyone notice that the solution to most problems on the windows side is patch? I suspect this is also true for the 'nix side.
Also several of the Unix problems are also for windows just not top ten:
Unix #10 and Windows #7
Weak passwords: in NT type systems you can set a minumum complexity for passwords in regard to length and funky charachters.
NT/2K also suffers from U4&5 FTP & SNMP
Not true (on NT/2K, that is). Everyone gets Full Control NTFS permissions to the entire file system by default, but users have to be added to the Administrators group to get Administrator privileges to the OS itself.
There is no "blaim" intended in making those lists. It's not a "Top 10 programs whose creators and users should be punished for being insecure". It is merely a list to help admins maintain secure machines. As far as these lists go, "fault" doesn't enter in to it, therefore there is no "fair" or "Unfair" to their contents.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
I forgot to add: "Since it is all integrated"
Table-ized A.I.
So what to do with FTP?
The openSSH sftp client really sucks, it's barely usable, no frills, almost seems like a "proof of concept" as it were. It gets the job done, barely.
So our customers need to upload files. With FTP in IE and Netscape and Mozilla, they can drag and drop the files into the browser and log in and send the files.
Another option is to use HTTP PUT, but since our clients are uploading 50 meg files, no progress feedback is a killer there. Is there some open source client-side-java-pretty-HTTP-PUT-uploader out there? Even then you have to have your clients have Java installed, something that can't really be counted on.
Other options.... Put putty on the site and make them install it and use sftp.. Not an ideal option, but somewhat workable.
So where is the drop in replacement for FTP? Why isn't anyone working on this?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Here's a note I just sent to their web master (they had no other place to send "comments"):
Overall the top20 list is a good summary as always.
However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:
'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'
Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
This one surely defines the need for it.
- Windows 95
- Windows 98/ME
- Windows NT
- Windows 2000
- Windows XP
Wait, there are more than 5?After reviewing the list, I suspect some of this is based on how prolific the worms got for each respective hole - - IIS gets top of the list for nimda, same with apache & ssh. sendmail has had a HUGE number of security problems, but most of them had been found 'pre-wild-worm madness'. I guess this is the right way to do it - - but then it just seems like all we'd need to do to make this report is measure the amount of press during each outbreak. I'm not very impressed with this list - - it's all old news.
However, 4(w4, w5, w7, w10) of the Win vulnerabilities are integral parts of the OS so you can't remove/fix them without hosing your PC.
Gee, which OS is more secure...looks like *nix again. So no, they are completely different.
which, lately, have come with unacceptable EULA terms
/me rolls my eyes
OK, name one. I wonder if you can.
and mandatory downloads of other software.
Once again, name the software.
Correct me if I'm wrong, but I've read that all you need to do is change the value of the DWORD "restrictanonymous" in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa from 0 to 1.
Right?
I think its rather interesting that bind was included on this list, especially ironic because it was listed as number "9". Bind 8 did have a terrible security reputation, but all of the bind 9 releases have been essentially bug-free. I believe there have been one or two denial-of-service exploites released, but nothing that would bring the internet's name services crashing down. Additionally, bind 9 has the ability to run as the permissions of another user -and- in a chroot'd environment, which makes the box worthless to the attacker even if they are able to break in (can we say "ls: command not found").
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Sys admins spending more time reading /. than patching and monitoring their servers.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Users and administrators.
Either base system can be secure or as full of holes as your mother. Apply the relevant patches in a timely manner, and you're mostly ok (so far).
Clueful users do not generally get rooted. In either system.
If your not familiar with SANS, you aren't doing your job as a sys admin.
...are STILL the major cause for security violations, on both unix and windows platforms. I don't know whether to blame the language or the programmers.
- 166
Slightly off-topic, debian has this security advisory for the "purity test" package:
http://www.debian.org/security/2002/dsa
quote: "A malicious user could alter the highscore of several games."
heh.
Wrong. The #1 for windows is the user.
Bunch of idiots.
Read the below sig before responding.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
If you read the article closely, the biggest way to protect a *nix system against hacks is to update regularly. I guess their list is assuming people don't keep updated (which, based on the fact *nix hosted webpages are defaced, may be correct). So incase you're not already, update your packages, people. Otherwise, the Nix issues don't really seem to be there.
Karma: Not Particularly Funny.
Given that Win doesn't have group ownership for files, it really doesn't matter if your running as admin or guest. You can still use WSH as a guest and be able to fuck with system files, you just can't play with the registry...nice security model, it doesn't exist for files on Win systems.
Perl on the other hand can't mess with files if the UID for the process doesn't have permission to...ooohhh, file security.
We had to install a virus checker on our Unix boxes at work. In the manual they ask the question 'Why a virus checker for Unix?'. Their reply was 'because of all the Windows viruses'. Seems they thought it a good idea to catch them before they got to the Windows boxes. They are the professionals, I have to believe them.
Just to be a /bot for a second, I thought it was funny that the primary concern with Apache was insecure CGI scripts. And the point about "even Apache's own website was defaced" says nothing about boxes being 0wned. Just a chrooted nobody user account. (And yes, I assume that Apache runs their own server chrooted)
As to the submitter saying the vulnerable UNIX apps are basically a laundry list of apps he uses daily, that's too bad. Never once have I needed to put NFS, rlogin, or FTP into production. I was always taught that the "r" meant "raped".
Intelligent Life on Earth
How about - MS can at any time DL and install security updates on your system without your knowledge/input.
And the implementation of DRM in media player upgrades (which if you want 'secure' you need to upgrade).
You'd be right, if your system is using FAT16/32, though why you'd ever use that on an NT-based system (note my comment about NT-based Windows systems, and Win9x being dead), I don't know. Use NTFS, setup proper permissions (should be setup by default, if you installed using NTFS), and you have a better ACL system than the default user/group/other UNIX permission system (yes, I know various unices have better ACL systems, and various filesystems for Linux do as well, but most people use ext2 at the moment, which just does ugo by default -- you can add patches that do real ACLs, but last I checked that wasn't part of 2.4).
Just taking a quick look of C:\Windows on my XP system, I see:
So how is it, again, that Windows doesn't have group ownership?
About IIS ...
Combined with the facts that their default location is readily known and their source code is readily available for scrutiny, this makes them prime exploit targets. The consequences of such exploits can be severe; for example
Or rather I should say Simplyfying PARTS of the Securing process.
Two simple rules I follow during initial installation. Dont install anything more(as far as network software) than you absolutely need. I dont even have Portmap installed.
Secondly, any software that you do install should be of a stable version unless you explicitly want it otherwise.
Generally following these two steps will eliminate alot of vulnerabilities to your system right out of the gate. It certainly wont garauntee security, but it will help with any additional post-installation securing procedures(firewalls, Intrusion Detection, Crypto, etc..) that one undertakes.
Am I being redundant here? Probably. But alot of people really should pay more attention to the K.I.S.S. philosophy. Saved me alot of headaches anyways.
another statisitic I would like to see is how many observed vulnerbilites they have seen in the wild...
(of course unix/lunix would be lower)
But I recoomend they should do a benchmarking like:
Vulnerbility/(total machiones installed with that os)
I will know that my box and firewall are both inadequate when I find a stack of test pages falling onto the floor... OK, now I am running CUPS, you can shorten the *nix by one.
What exactly is your fucking point? That you believed yourself ignorant of Windows security issues, found you weren't, then had to prove yourself a twat after all by going on about it?
I love W5. It implies that the vulnerability is the leakage of information to an intruder.
It seems to me that, since it points out the the scans are often run as "System" by the legitimate users, then by properly crafting a response to an inquiry, and puttting my machine out there, the real vulnerability is to the systems, like the domain controllers, which scan (potentially trojaned) remote machine, without dropping "System" priviledge first.
It seems to me that an exploit using SAMBA source code ought not to be that hard to write...
-- Terry
Nearly all Linux systems and many other Unix systems come with Apache installed and often by fault enabled.
Although I presume that they meant to say 'by default enabled', I (like many others) feel that it is an error to have most facilities enabled by default. Thus the default is IMHO a fault.
I would much rather have various facilities disabled by default, with easily-accessible tools which enable those facilities (and give appropriate security warnings). Manufacturers, like sun, who ship machines with everything and their dogs enabled should be hung by their toes and beaten mercilessly with burnt-out '286s.
The standard defence that most of these systems ship to sites with well-traind sysadmins who know what to disable is silly. If a site has well-trained sysadmins, then they should know how to enable the required facilities. Sites without well trained sysadmins probably don't have good security, either, and most desparately need to have all of those holes covered when the system ships.
For admins who care more about getting a system running easily than they do about security, vendors like sun could have a program (named 'goahead-shootme') that enables all facilities just like the old (de)fault had it. Better yet, of course, would be a simple menu-driven / GUI program that allowed you to turn on/of various facilites and daemons (and possibly even provided an explanation of why). -- Bastille Linux comes to mind...
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
these 2 lists are completely rediculous. why would they include this only on the *nix side? they wrote "# U10 General Unix Authentication -- Accounts with No
Passwords or Weak Passwords" jeez!
i can imagine all those US gub'mnt schmucks sitting around saying:
Jim: Well, come on guys we can't make MS look too bad..they'll stop paying us!
Bob: ok ok, i got an idea.. let's put 10 vulnerabilities on each platform, that way they look equally bad!
Jim: ya! good idea! ok, i'll do the MS list, and you do the *nix list. ok?
5 minutes later..
Jim: whew, those MS vulnerabilities were easy, and i even had leftovers! i just picked the best outta 50. what about you, Bob. are you done yet?
Bob: fuck no, i'm on like, number 5. you know, most *nix vulnerabilities happened years ago and are long patched. here, help me out..
Jim: um, oh, i got it! how about users not given passwords, that could be a vulnerability!
Bob: ya, ok. oh! and those damn foreigners! they're always tinkerin with that open source stuff. what a threat to national security!
Jim: yes! yes! and um...oh!. most *nix computers have keyboards attached to them! a total security risk! woohoo, number 8 and almost done!
MS can at any time DL and install security updates on your system without your knowledge/input.
BZZZZZZzzzzzzzzzz. Sorry, guess again. It's not there. Perhaps you are referring to the clause that allows the operating system feature, namely Windows Update, to automatically download and update your system? The one that the user has to enable? Sorry, nothing coercive about it.
And the implementation of DRM in media player upgrades (which if you want 'secure' you need to upgrade).
Yes... and? That applys DRM to the Microsoft's secure music technology, not to anything else.
Yes, I have looked at the logs for an Apache server we run at work, and it's hilarious. One can merely politely ask for access to various memory locations. It's a terrible joke; if it wasn't reality, and gaining market share, it would be really funny.
It's been a long time.
Only on the Unix side?
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
Even aside from applications that still limit passwords to 8 characters, wimpy passwords are a real problem. Wimpy root passwords are the worst (do the password utilities still let root assign wimpy passwords?) but wimpy user passwords let attackers break into user accounts, which is a starting point for attacks on more serious weaknesses.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
- Buffer Overflows! If people are going to insist on using C to write important applications, they need to use libraries that check input properly if they're not going to do the job themselves! This is about the most basic bug you learn to avoid when you learn arrays, and C's pointers don't give you protection so you're warned to do it yourself where you need it.
- Not Checking Input for Validity! This is about the second lesson in CS100 classes, or was back when I took them - Never Never Never trust that your program has been given correct input, especially input that cares about size and type.
- Not checking for Cleverly Malicious Domain-Dependant Input - OK, some kinds of input checking go beyond the basics, but at least make sure not to let users provide input that uses ".." in directory paths or lets unauthorized people store important data.
- Running things are ROOT that don't critically need to - Mail doesn't need to run as root just to deliver mail to mailboxes - group permissions with the application running as group mail works just fine. Web Servers doesn't need to be root, and DNS doesn't need to be root, and Printer Daemons don't need to be, and most ftp servers don't need to be (a few might). SSH probably does, but there may be ways to work around that.
- Operating Systems that force applications to user root privileges - TCP and UDP well-known ports shouldn't need root permissions to run them, except perhaps in very special cases, and forcing them to have root permissions increases the probability that an inadequately-written application will be running as root instead of chroot-jailed.
- Applications writing over their own configuration files - if you take advantage of operating system permissions, that reduces your need to defend against cleverly malicious input. Be careful out there, and use them.
- Applications that force users to use too-short passwords - 8-character passwords have been obsolete for years. Even if you let users pick wimpy ones, at least don't *force* them to.
That's certainly not everything, but it's an appallingly high fraction. Making sure applications don't run as root doesn't prevent things like mail viruses or web server viruses from flooding the net with bogus emails, but it makes it harder, and reduces the potential damage. At least practice enough basic hygiene that attackers have to be careful, creative, and hardworking....Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Somebody mod up the parent of this comment.
"lugonn" has apparently never used an NT-based Windows.
For 2000, pre SP2
For 9x boxes
That's Media Player, not IE. The two pieces of software are not the same.
There has never been, to my knowledge, any clause in a security update for IE that changed the EULA in such a negative manner.
I wholly agree with flacco that such clauses in security updates are unacceptable.
The "operating system feature" that shipped bundled as part of Service Pack 3. It does pop up a wizard the first time the local machine administrator logs in, but until then, it is indeed enabled by default. Log in as a regular old domain user after the reboot and take a look.
Wrt license agreements in updates/patches, I always liked it better when it was two lines long and said "This operating system feature is distributed under the same license as Windows NT 5.0. Please refer to your operating system documentation." (The old Windows Messaging, if anyone cares).
Web administrators too often conclude that since Microsoft's Internet Information Server (IIS) is exceptionally prone to compromise (see W1. Internet Information Server), the open-source Apache web server is completely secure. While the comparison with IIS may be true, and although Apache has a well-deserved reputation for security, it has not proved invulnerable under scrutiny.
It amazes me how often these vulnerabilities are caused by things that they teach in beginning programming classes, like bulletproofing your code.
With windows it's turning on the computer.
Jonahweb.com has stuff.
by my count, 8/9(*) Windows voulnerabilities are directly attributed to Microsoft.
No two UNIX voulnerabilities can be blamed on the same supplier.
Is there a better argument for "MS is a monopoly and should be broken up"?
(*)I'm not counding "weak passwords", that's universal.
at their solutions for the Unix's Weaknesses. That is don't run them. Such as Sendmail. It has accounted for major cracks a number of years ago, but it has been working well for the last 2 years. Do they suggest stopping IIS, or IE, or Outlook, or SQL Server???? No. Personally, if I had a a few millions hanging around or was a lawyer, I would sue a few major companies that got cracked who were running MS.
hey, some of us need free webhosting
Unfortunately, it ain't free anymore unless you hardly have any visitors. They count their own pop-up ads as part of the quota for free webpages. My anti-OO website has graduated to enough popularity to exceed the quota, so now I have to fork over a bit of moola.
Since that person is bashing geocities, I wonder what great, stable ISP they recommend instead?
Table-ized A.I.
The "operating system feature" that shipped bundled as part of Service Pack 3. It does pop up a wizard the first time the local machine administrator logs in, but until then, it is indeed enabled by default. Log in as a regular old domain user after the reboot and take a look.
I dunno about your system, but it wasn't enabled on my system. I recently did a fresh install of WinXP and -- surprise, not enabled here either, even after SP1.
C'mon...the snmp one should be thrown off the unix list. Winders has snmp, and network devices have snmp. Just because you can do snmp stuff with Unix doesn't make it a unix vulnerability anymore than a windows one.
As for userid's and passwords - I've seen equally week NT setups - even more common for people to use no passwords on NT, since Win clients are connecting. As for tracking what a user is doing - ps anyone? Lets see you track what an authenticated user can do with RPC on a windows network.
This was Windows 2000, updating from release to SP3. I didn't wait around with tcpdump to see if it ever connected anywhere, but the box was checked immediately following reboot on two seperate machines today.
The defaults aren't really intrusive so much as they are annoying. I wish they'd distribute just the security updates and bugfixes in the service packs, leaving the new features to be installed seperately.
But back to the original point: at least in Windows 2000, the automatic update piece (and accompanying EULA modifications) were bundled with the service packs. The coersion, IMHO, is being forced to accept a modified EULA to get your security updates. Not some default behaviour of the update software itself.
ultimate foolproof network security model
Shatter Exploit?? Come on. This exploit is worse than any of the ones listed.
Those other flaws are weak in comparison to one where someone can own your university network.
-- -=innocent ramblings from the mind of an insomniatic programmer=-
These clowns must of just looked up their MCSE book or the MS website for their advice on security. recommending to use only NT authentication on sql server. yeah Im going to let
an IIS server connect through Nt authentication only... right.
Windows!
:)
deus does not exist but if he does
Nuff said
Apache: I'm aware that it is the most used web server under Unix, but the article says:
U2.2 Operating Systems Affected
Nearly all Linux systems and many other Unix systems come with Apache installed and often by fault enabled. All Unix systems are capable of running Apache. (Windows administrators should be aware that the version of Apache for Windows is likely subject to the same or similar vulnerabilities.)
What is the marketshare of Apache (with respect to ISS) under Windows? It would be funny to note that the second 'most dangerous' vulnerability in Unix is overwhelmed by at least 9 other security flaws under Windows. I know, it could be because Windows boxes running Apache are few compared to those running ISS.
Signatures are for stupids.
You sez:
"...the fact that only one(u10) Unix vulnerablity has to do with
the OS itself, and the rest are program related. All of which can
easily be removed without harm to your boxen."
While the above is TECHNICALLY CORRECT, please remember, when it comes to VULNERABILITY, even ONE is TOO MANY !
Muchas Gracias, Señor Edward Snowden !
The register points to the 2002-09-27 SANS/FBI top 20 most critical internet security vulnerabilities. 2000's top vulnerability, BIND weaknesses, dropped to Unix number 3 last year, and number 9 this year.
CowboyNeal for president!
"Hit any user to continue."
Two top tens out of different sections combined does not always make a top twenty. It usually doesn't. In this case, Windows should probably have had more than ten entries, while unix should have less.
Yeah, and on Unix, Apache is #2, and ssh is #3. It amazes me how hard this seems to be to grasp for most unix administrators...
Unlike most UNIX-based distributions, Mac OS X client arrives with its root account disabled (users are lower level admins or normal users) and all of its external services disabled by default. The root account can be enabled if necessary, but at least root breaches aren't immediately possible out of the box.
That doesn't make Mac OS X immune from common UNIX vulnerabilities, but it does mean administrators have fewer worries from these systems on setup since Apache, SSL, Windows File Sharing, FTP, printer sharing, Apple File Sharing, and Remote Apple Events are inactive, providing less of a target.
Mac OS X 10.2 finally provides a GUI for its ipfw firewall settings to lock out these ports, automatically preventing these ports from being open unless the user activates the service.
Vos teneo officium eram periculosus ut vos recipero is.
You are incorrect. Vulnerabilities 4,5,7,and 10 are easily fixed/corrected by any competent Administrator.
4. Assign security rights when you create shares, don't accept the defaults
5. Never allow Anonymous logins.
7. You can change the Windows settings to only use NTLM which is much more secure than LM.
10. Remove Windows Scripting Host.
The SSH issue was not a problem on most systems by default. While Apache needs to be updated, the patches are readily available.
I found it amusing that rather than a general program they bring up weak passwords.
Just a Tuna in the Sea of Life
34sp.com
IANTOP HTH HAND
the automatic update piece (and accompanying EULA modifications) were bundled with the service packs.
Right. A service pack, not a security update. Service packs include everything, like they're supposed to. If you want just the security updates, no problem. Go to town.
Now that that's out of the way. It is very easy to build an active X control that can bypass login sytems on Win boxes. I know becuase this box I'm posting from was cracked that way...many moons ago. File permissions on NTFS mean nothing when the OS controlling them gives full access to programs that are running, even if they were started by a guest/user.
"Flesh(Win) is a trap...and Magic(*nix) sets us free." -Dorthea Swan
i hope somebody gets the inside *nix joke
Where are the convenient bundles of security updates?
I've always installed the service packs solely to fix horrific bugs and system-level compromises. I know I'm not alone, either. Are you suggesting that pushing out every Qxxxxx hotfix would be preferable to just deselecting a few unwanted components from a hypothetical SP4 install?
Just a preference of mine, really. I've never liked leaving unused software on systems, regardless of whether it's turned on or not.
It is very easy to build an active X control that can bypass login sytems on Win boxes.
I'm not sure what your point is... just because you can bypass the group permissions doesn't mean they aren't there. If that's what you meant, you should have said that in the first place. (and I assume you can disable active x for non-admin users anyway)
Not that I'm saying that Windows isn't less secure than Unix, that would be silly.
(and if there's any moderators still around, feel free to mod down this comment of mine, it's done its job)
I meant that the group permissions in Win are a joke, and they don't really protect anything from a serious attack. They were designed to prevent unauthorized software from being installed by non-admins on a domain. It was a convienence thing for admins, not especially for security. They aren't intergral to the OS, just the file system, you can end run around the file permissions through the OS via escalation.
Which is why WSH is dangerous. You don't have to be admin to make WSH start erasing .dll's on the machine. The group settings under windows are for users convienence, not security. It is not group permissions in the same sense as *nix group permissions, it's a cheesy fake-out labled 'group permissions' by marketing dips so they can 'claim' Win is secure. It doesn't really matter if it is or not to them.
However, to get Perl to do admin things on a *nix box, you have to start the process as admin/root/whatever or else it can't access the files, and the OS won't let you escalate. That's security, not marketing spin.
Mandrake Services is exactly the GUI service manager you are describing. It has a list of available services, whether they are running or not, the ability to start/stop them, and also to set if they are started at boot.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Too often people have come to me and said, "If I had just one wish for
anything in all the world, I would wish for more user-defined equations
in the HP-51820A Waveform Generator Software."
-- Instrument News
[Once is too often. Ed.]
- this post brought to you by the Automated Last Post Generator...
About RH 8.0 compiled for i686, please check my journal